Report: implementation flaws hound wireless security

Security firm Codenomicon has released a report detailing its findings when …

Wireless technology may be on its way to becoming ubiquitous in developed countries, but there's a tremendous difference between having a WiFi connection on every corner and having a (reasonably) secure WiFi connection on every corner. All of the modern wireless standards have their own security implementations, but the degree to which these standards are active and available can vary widely from hotspot to hotspot. If a recent report from Codenomicon is correct, simply activating the appropriate security protocols isn't nearly enough—the company has produced a report (PDF) claiming that a large number of supposedly secure devices can be hacked thanks to flaws in their security implementations. Even if security standards are correctly implemented, the inherent complexity of a given software stack can open a device to potential hackers.

Before I dig into the report itself, it's important to note that Codenomicon is not a neutral research firm in the field of wireless security technology. The company develops and produces a comprehensive security evaluation program called DEFENSICS. The report's test results were reached via the use of this tool and the company praises DEFENSICS at several points within the body of the paper. While this does introduce the possibility of bias, the fact that the company produces security tools does not, ipso facto, disqualify it from using its own tools to document accurate wireless security test results.

Codenomicon's tests focused on "fuzzing" the relevant wireless devices, with the goal of determining their level of robustness. According to the paper, fuzzing is defined as "the systematic creation of a very large number of protocol messages, from thousands to several million test cases, containing exceptional elements simulating malicious attacks." According to the company, a large number of the security vulnerabilities that are reported are robustness failures. Given this, robustness testing is paramount, and Codenomicon just happens to have the perfect tool for doing so—its own DEFENSICS software suite. If the results are indicative of what other software suites would indicate, a number of vendors have shipped devices that can be fuzzed with relative ease, as illustrated in the tables below. Table 1 gives results for the 31 Bluetooth devices that were tested, while Table 2 gives results for 7 wireless access points (AP1-AP7 across the top column of the table).

Interface/profile

Number of implementations tested with a fuzzer

Number of implementations that failed in the test

Percentage of failed products

L2CAP

31

26

84

SDP

31

24

77

RFCOMM

31

28

90

A2DP

2

2

100

AVRCP

3

3

100

HCRP

1

1

100

HID

1

1

100

OPP

15

12

80

FTP

5

5

100

IRMC Synch

1

1

100

BIP

1

1

100

BPP

1

1

100

HFP

5

2

40

HSP

5

2

40

FAX

2

0

0

DUN

5

2

40

SAP

4

4

100

AP1

AP2

AP3

AP4

AP5

AP6

AP7

Fail ratePercent

WLAN

Inc.

Fail

Inc.

Fail

N/A

Inc.

Inc.

33

IPv5

Fail

Pass

Fail

Pass

N/a

Fail

Inc.

60

ARP

Pass

Pass

Pass

N/A

Fail

Pass

Pass

16

TCP

N/A

N/A

Fail

N/A

Fail

Pass

N/A

66

HTTP

N/A

Pass

Fail

Pass

Inc.

Fail

Fail

50

DHCP

Fail

Fail

Inc

N/A

Fail

Fail

N/A

80

Fail ratePercent

50

40

50

33

75

50

25

Codenomicon doesn't provide any information on the specific devices tested, but the trend is not encouraging. According to the company, one reason for the high number of security flaws in the various Bluetooth and WiFi products tested is the software stack complexity of both standards. Although WiMAX devices aren't readily available at this point, Codenomicon implies that the same sorts of robustness and implementation flaws are likely to appear in devices based on the new standard as well. Unsurprisingly, given that this is a paper written about their own product, Codenomicon discovers that it's a really good idea to test software robustness with a product specifically designed for that purpose before releasing it.